How to Post Your NPP on Your Website (HIPAA Requirement)
NPP Generator Research Team · April 25, 2026 · 5 min read
Key Takeaways
- ✓ HIPAA requires posting your NPP on your website if it has health-related information
- ✓ The link must be placed "prominently" — footer, nav, or dedicated Privacy page
- ✓ HTML or PDF both satisfy the requirement; HTML is preferred for accessibility
- ✓ Update your posted NPP whenever you issue a materially revised version
- ✓ The website posting requirement is in addition to — not a substitute for — providing the NPP at first service
Under 45 CFR § 164.520(c)(3), any covered entity that maintains a website with information about its patient care services must post a prominent link to its Notice of Privacy Practices on that website. This is a separate obligation from providing the NPP at first service — both are required.
What the HIPAA regulation actually says
The relevant language from 45 CFR § 164.520(c)(3):
"If the covered health care provider maintains a web site that provides information about the covered entity's customer services or benefits, the covered health care provider must prominently post its notice on the web site."
Two conditions trigger this requirement: (1) you are a covered entity, and (2) you maintain a website that provides information about your services. If you have any practice website — even a basic one listing your hours and contact info — you almost certainly meet both conditions.
Where to place the link
HIPAA does not specify a pixel location, but "prominently" has been interpreted by OCR to mean the link should be easy for a patient to find without searching. Best practice placements:
- Website footer — the most common and expected location. Patients who are looking for privacy information scroll to the footer. Place it next to your Terms of Use and Privacy Policy.
- Main navigation or header — higher visibility but can feel cluttered for small practices. Works well if you have a "Patient Resources" dropdown.
- Dedicated Patient Privacy or Legal page — create a page at /privacy or /patient-privacy that contains the full NPP text or a direct link to the PDF.
- New patient intake page — if you have an online intake form, linking the NPP there serves dual purposes: it satisfies the website posting requirement and the first-service distribution requirement for patients who complete intake online.
Do not bury the NPP link deep inside a long Terms of Use document. If a patient or OCR investigator cannot find it within a few clicks of your homepage, the placement likely does not satisfy "prominently."
Format: HTML vs. PDF
Either format is compliant. Practical considerations:
- HTML (web page): Better for accessibility (screen readers), better for SEO, easier to update in-place. Patients can read it without downloading anything. If you use a practice website builder (Wix, Squarespace, WordPress), you can create a page, paste the NPP text, and link to it.
- PDF: Easier to produce if you already have a formatted PDF. Most patients expect PDFs for legal documents. A PDF download link is compliant. Make sure the PDF is text-based (not a scan) for accessibility.
- Linked PDF on a dedicated page: Common hybrid — create a /privacy-practices page with a brief description and a "Download our Notice of Privacy Practices (PDF)" link. This gives you both an indexable page and a formatted document.
Keeping the posted version current
When you issue a revised NPP — either due to a material change in your privacy practices or to update to the HHS 2026 model — you must update your website promptly. Specific steps:
- Replace the old PDF or update the HTML page with the new NPP text
- Update the effective date on the posted document
- If you replaced a prior version, include the supersede date (e.g., "This notice supersedes all prior versions effective [date]")
- Document the date you updated your website in your HIPAA compliance records
Maintaining an out-of-date NPP on your website — for example, still showing a 2013 model after you've issued a 2026-compliant version — is a violation of the website posting requirement even if you're distributing the correct version in your office.
Website posting vs. first-service distribution
Website posting does not substitute for in-person or electronic NPP distribution at first service. Both are required:
| Requirement | When | How |
|---|---|---|
| Website posting | Ongoing — must always be current | Prominent link to full NPP text or PDF |
| First-service distribution | At first patient service date | Paper copy or electronic delivery; request acknowledgment |
| Office posting | Ongoing — must always be current | Displayed at service delivery location |
Telehealth-only practices
If you are a telehealth-only practice with no physical location, you still need a website and you must post the NPP there. For telehealth practices, the website is your primary NPP distribution mechanism — you provide a link to the NPP via email or patient portal at first service, and the same NPP is posted on your website. See NPP for telehealth practices for the full telehealth distribution framework.
Quick answer
Post your NPP in the website footer and on a dedicated /privacy-practices or /privacy page. An HTML page with full NPP text or a prominent PDF download link both satisfy 45 CFR § 164.520(c)(3). Update the posted version any time you issue a revised NPP.
Need a compliant NPP to post?
NPP Generator produces an HHS February 2026 compliant NPP as a clean PDF and editable Word document — ready to post on your website and provide at intake. $49 one-time, no subscription.
Generate your NPP — $49Free watermarked preview available. See sample →
Frequently Asked Questions
Does HIPAA require posting the NPP on your website?▼
Yes. Under 45 CFR § 164.520(c)(3), covered entities with a website providing service information must prominently post the NPP. This applies to virtually every practice with any web presence.
Where exactly on your website should the NPP link go?▼
The footer is the most common and expected location. You can also place it in your navigation under a "Patient Resources" or "Legal" section, or on a dedicated /privacy-practices page. The key requirement is "prominent" — a link patients can find without hunting.
Does posting on my website satisfy the first-service distribution requirement?▼
No. Website posting and first-service distribution are separate requirements under 45 CFR § 164.520. You must do both — post on your website and provide the NPP directly to each patient at first service (in person or electronically).
My website is just a simple one-page site — do I still need to post the NPP?▼
If your website has any information about your health care services (hours, location, specialties, contact info), you are likely subject to the website posting requirement. Add a footer link to your NPP — it takes minutes and eliminates the compliance risk.